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Amendments to the Claims: 

This listing of claims replaces all prior versions, and listings, of claims in this application. 
Listing of Claims: 

1 . (Currently Amended) A system for extracting information from network data, 
comprising: 

an input interface connected to at least one source of network data; and 
a network event sensor, communicating with the input interface, the network event sensor 
comprising 

an interpreter module, the interpreter module scanning the network data to generate 
logical groupings of the network data, and 

an assembler module, communicating with the interpreter module, the assembler module 
scanning the logical groupings to generate at least one session object, 

wherein the network event sensor applies a lexical engine to the at least one session 
object recursively to identify the at least one network event as at least one of a predetermined set 
of event types. 

2. (Original) The system of claim 1, wherein the at least one source of network data 
comprises an observation port coimected to a network and continuously capturing network data 
from the network. 
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3. (Original) The system of claim 2, wherein the observation port comprises a network 
interface card. 

4. (Original) The system of claim 3, wherein the network comprises at least one of an 
Ethernet network, a token ring network, and a TCP/IP network. 

5. (Original) The system of claim 3, wherein the network interface card is invisible to the 
network. 

6. (Original) The system of claim 1, wherein the at least one source of network data 
comprises stored network data. 

7. (Original) The system of claim 6, wherein the stored network data comprise at least 
one of captured network files, Website mirrors, archives of Usenet files, and archives of email 
files. 

8. (Cancelled) 

9. (Previously Presented) The system of claim 1, wherein the logical groupings comprise 
packets. 
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10. (Previously Presented) The system of claim 1, wherein the interpreter module 
removes low- level encoding information from the network data to generate the logical 
groupings. 

11. (Original) The system of claim 10, wherein the low-level encoding information 
removed by the interpreter module comprises hardware addressing information. 

12. (Cancelled) 

13. (Previously Presented) The system of claim 1, wherein the at least one session object 
comprises at least one session file. 

14. (Previously Presented) The system of claim 1, wherein the assembler module scans 
the logical groupings by examining at least one of source address, destination address, sequence 
numbers, source port, and destination port to generate the at least one session object. 



15. (Cancelled) 



16. (Previously Presented) The system of claim 1, wherein the lexical engine detects the 
presence of at least one predefined keyword to identify the at least one of a predetermined set of 
event types. 
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17. (Original) The system of claim 16, wherein the predetermined set of event types 
comprises at least one of TCP, IP, UDP, SMTP, HTTP, NNTP, FTP, TELNET, DNS, RIP, BGP, 
MAIL, NEWS, HTML, XML, PGP, S/MIME, POP, IMAP, V-CARD, ICMP, NetBUI, IPX and 
SPX. 

18. (Original) The system of claim 16, wherein the lexical engine accumulates a total 
number of occurrences for the at least one predefined keyword to identify the event type. 

19. (Original) The system of claim 18, wherein the lexical engine applies a threshold to 
the number of occurrences to identify the event type. 

20. (Cancelled). 

21 . (Previously Presented) The system of claim 1, further comprising an extractor 
module, the extractor module extracting the at least one network event from the at least one 
session object according to the at least one of a predetermined set of event types. 

22. (Original) The system of claim 21, wherein the extractor module comprises a library 
of extractor types, each of the extractor types corresponding to at least one of the at least one of a 
predetermined set of event types. 
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23. (Original) The system of claim 22, wherein the extractor module stores a minimum 
subset of the network data to reconstruct the at least one network event. 

24. (Original) The system of claim 23, wherein the minimum subset of the network data 
is stored in a database. 

25. (Original) The system of claim 24, further comprising a presentation module, 
communicating with the database, the presentation module querying the database for information 
related to the at least one network event. 

26. (Original) The system of claim 1 , wherein the network event sensor also applies a 
port detection engine to the network data to identify the at least one network event. 

27. (Original) The system of claim 1, wherein the at least one source of network data 
comprises a plurality of sources of network data. 

28. (Currently Amended) A method for extracting information from network data, 
comprising the steps of: 

receiving network data from at least one source of network data; 

scanning the network data to generate logical groupings of the network data; 



Serial No.: 09/552,878 
Art Unit: 2157 



Attorney's Docket No.: MAN0002-US 

Pages 



scanning the logical groupings to generate at least one session object; and 
recursively applying at least a lexical engine to the at least one session object to identify 
at least more than one network event tvpe contained in the at least one session object . 

29. (Original) The method of claim 28, wherein the at least one source of network data 
comprises an observation port connected to a network and continuously capturing network data 
from the network. 

30. (Original) The method of claim 29, wherein the observation port comprises a 
network interface card. 

3 1 . (Original) The method of claim 30, wherein the network comprises at least one of an 
Ethernet network, a token ring network, and a TCP/IP network. 

32. (Original) The method of claim 30, wherein the network interface card is invisible to 
the network. 

33. (Original) The method of claim 28, wherein the at least one source of network data 
comprises stored network data. 
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34. (Original) The method of claim 33, wherein the stored network data comprise at least 
one of captured network files, Website mirrors, archives of Usenet files, and archives of email 



35. (Cancelled) 

36. (Previously Presented) The method of claim 28, wherein the logical groupings 
comprise packets. 

37. (Previously Presented) The method of claim 28, further comprising a step of d) 
removing low level encoding information fi*om the network data to generate the logical 
groupings. 

38. (Original) The method of claim 37, wherein the low-level encoding information 
comprises hardware addressing information. 



files. 



39. (Cancelled) 



40. (Currently Amended) The method of claim 4- 28, wherein the at least one session 
object comprises at least one session file. 
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41 . (Currently Amended) The method of claim 4- 28, wherein the step of scanning the 
logical groupings comprises a step of examining at least one of source address, destination 
address, sequence numbers, source port, and destination port to generate the at least one session 
object. 

42. (Currently Amended) The method of claim i- 28, further comprising a step of g) 
identifying the at least one network event as at least one of a predetermined set of event types. 

43. (Previously Presented) The method of claim 42, wherein the step of identifying 
comprises a step of detecting the presence of at least one predefined keyword to identify the at 
least one of a predetermined set of event types. 

44. (Original) The method of claim 43, wherein the predetermined set of event types 
comprises at least one of TCP, IP, UDP, SMTP, HTTP, NNTP, FTP, TELNET, DNS, RIP, BGP, 
MAIL, NEWS, HTML, XML, PGP, S/MIME, POP, IMAP, V-CARD, ICMP, NetBUI, IPX and 
SPX. 



45. (Previously Presented) The method of claim 43, wherein the step of detecting 
comprises a step of accumulating a total number of occurrences for the at least one predefined 
keyword to identify the event type. 
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46. (Previously Presented) The method of claim 45, wherein the step of detecting 
comprises a step of applying a threshold to the number of occurrences to identify the event type. 

47. (Cancelled) 

48. (Previously Presented) The method of claim 42, further comprising a step of 
extracting the at least one network event from the at least one session object according to the at 
least one of a predetermined set of event types. 

49. (Previously Presented) The method of claim 48, wherein the step of extracting 
comprises a step of selecting at least one extractor module from a library of extractor types, each 
of the extractor types corresponding to at least one of the at least one of a predetermined set of 
event types. 

50. (Previously Presented) The method of claim 49, further comprising a step of storing 
a minimum subset of the network data to reconstruct the at least one network event. 

51. (Previously Presented) The method of claim 50, wherein the step of storing 
comprises a step of storing the minimum subset of the network data in a database. 
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52. (Previously Presented) The method of claim 51, further comprising a step of 
querying the database for information related to the at least one network event. 

53. (Previously Presented) The method of claim 28, further comprising a step of 
applying a port detection engine to the network data to identify the at least one network event, 

54. (Original) The method of claim 28, wherein the at least one source of network data, 
comprises a plurality of sources of network data. 



